Does Dr. Flex have any unpatched vulnerabilities?

No. All known vulnerabilities in Dr. Flex have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Dr. Flex compatible with WordPress 6.7.5?

According to WordPress.org data, Dr. Flex 2.0.1 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Dr. Flex compatible with PHP 5.6.28+?

Dr. Flex requires PHP 5.6.28 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Dr. Flex updated?

Dr. Flex was last updated on Mar 11, 2025. Frequent updates are generally a positive security signal.

What is Dr. Flex's security score?

Dr. Flex has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Dr. Flex Security & Risk Analysis

wordpress.org/plugins/dr-flex

Das offizielle Dr. Flex® Wordpress Plugin zur einfachen Einbindung des Dr. Flex® Buchungstools auf Ihrer Website.

1K active installs v2.0.1 PHP 5.6.28+ WP 5.0+ Updated Mar 11, 2025

drflexterminvereinbarung

A · Safe

CVEs total1

Unpatched0

Last CVEMar 27, 2025

Plugin page Download

Safety Verdict

Is Dr. Flex Safe to Use in 2026?

Generally Safe

Score 91/100

Dr. Flex has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 27, 2025Updated 1yr ago

Risk Assessment

The dr-flex v2.0.1 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a small attack surface with no identified unprotected AJAX handlers or REST API routes. The absence of bundled libraries and external HTTP requests, along with a lack of critical or high-severity taint flows, are also encouraging signs. However, several areas warrant concern. The SQL query usage is problematic, with only 8% of queries employing prepared statements, leaving a significant portion vulnerable to SQL injection. Furthermore, over half of the output operations are not properly escaped, creating a risk of cross-site scripting vulnerabilities. The complete absence of nonce and capability checks, particularly for the identified shortcode, is a critical oversight that could allow for unauthorized actions or data manipulation. The plugin's vulnerability history, while currently showing no unpatched CVEs, indicates a past medium-severity Cross-Site Scripting vulnerability, suggesting a recurring weakness in input sanitization or output escaping. While the current version has no unpatched issues and a limited attack surface, the prevalence of unescaped output, raw SQL queries, and missing authorization checks for its entry points present significant security risks that need immediate attention.

Key Concerns

High percentage of SQL queries not using prepared statements
Significant portion of output not properly escaped
No nonce checks on any entry points
No capability checks on any entry points
Vulnerability history includes Cross-site Scripting
Flows with unsanitized paths found

Vulnerabilities

Dr. Flex Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-30850medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dr. Flex <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 27, 2025 Patched in 2.0.1 (7d)

Code Analysis

Analyzed Mar 16, 2026

Dr. Flex Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

13 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

8% prepared12 total queries

Output Escaping

54% escaped24 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

drflex_serve_static_resources (components\drflex_rest_api.php:68)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Dr. Flex Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[drflex] components\drflex_shortcode.php:106

WordPress Hooks 13

actionrest_api_initcomponents\drflex_rest_api.php:50

filterrest_pre_serve_requestcomponents\drflex_rest_api.php:179

actionplugins_loadeddr-flex.php:117

actionadmin_enqueue_scriptsdr-flex.php:151

actionwp_enqueue_scriptsdr-flex.php:188

actionadmin_initdr-flex.php:219

actionadmin_menudr-flex.php:223

actionadd_option_drflex_api_keydr-flex.php:430

actionupdate_option_drflex_api_keydr-flex.php:431

actionadd_option_drflex_callback_textareadr-flex.php:433

actionupdate_option_drflex_callback_textareadr-flex.php:434

actionwpdr-flex.php:791

filterwp_nav_menu_itemsdr-flex.php:813

Maintenance & Trust

Dr. Flex Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 11, 2025

PHP min version5.6.28

Downloads6K

Community Trust

Rating100/100

Number of ratings1

Active installs1K

Alternatives

Dr. Flex Alternatives

No alternatives data available yet.

Developer Profile

Dr. Flex Developer Profile

sfaerber

1 plugin · 1K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

7 days

View full developer profile

Detection Fingerprints

How We Detect Dr. Flex

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/dr-flex/css/codemirror.css/wp-content/plugins/dr-flex/css/drflex.css/wp-content/plugins/dr-flex/js/drflex.js/wp-content/plugins/dr-flex/js/codemirror.js/wp-content/plugins/dr-flex/js/javascript.js/wp-content/plugins/dr-flex/css/drflex-site.css

Script Paths

/wp-content/plugins/dr-flex/js/drflex.js/wp-content/plugins/dr-flex/js/codemirror.js/wp-content/plugins/dr-flex/js/javascript.js

Version Parameters

dr-flex/css/codemirror.css?ver=dr-flex/css/drflex.css?ver=dr-flex/js/drflex.js?ver=dr-flex/js/codemirror.js?ver=dr-flex/js/javascript.js?ver=dr-flex/css/drflex-site.css?ver=

HTML / DOM Fingerprints

CSS Classes

drflex-button-wrapper

Data Attributes

data-drflex-shortcode-id

JS Globals

drflex_callback_function_file_namedrflex_callback_function_name

REST Endpoints

/wp-json/drflex/v1/shortcode

Shortcode Output

[drflex_booking_tool]

FAQ